LoginSignup
0
0

More than 1 year has passed since last update.

@IsaacJ(ジャッド アイザック)

EAP

Last updated at Posted at 2021-10-26

*Extensible Authentication Protocol(*EAP) over LAN: 802.1X is a framework that defines transport and usage of credentials; usernames, passwords, certificates, tokens, and otp.

EAP is made up of 3 components; supplicant, authenticator and authentication server. Connection between Supplicant(client or peer) and Authenticator(switch or NAD or Policy Enforcement Point) is layer 2.
Authenticator(switch) to Authentication server is layer 3.

Authenticator(NAD) types can be a switch, WLC, ASA FTD, Load Balancer, or SW applications.

Two main types of EAP types; Native EAP(non-tunneled) and tunneled EAP.

EAP-MD5:
Hidden credentials in hash. Common in IP phones and with MAB instances. Weakness is it is one-way authentication. The client does not check if the authenticator is trusted.

EAP-TLS:
It supports mutual authentication, and uses X509 certificates. Endpoints will possess private key. Gaining popularity with enterprise BYOD cases.

EAP-MS-CHAPv2:
Sends encrypted credentials within MS-CHAPv2 session.
Supported as tunneled EAP with ISE only.

EAP-GTC(Generic Token Card):
Alternative to MS-CHAPv2. Allows for OTP. Supported as tunneled EAP only.

PEAP:
Has an inner tunnel and outer tunnel.
Builds the outer tunnel first, then exchanges credential within "inner methods." Supported inner methods : EAP-TLS, EAP-MsCHAPv2, EAP-GTC. The outer identity provides a mechanism to authenticate identity when establishing the tunnel.

FAST(Flexible Authentication via Secure Tunneling):
Invention of Cisco. Benefit is faster re-auth for wireless roaming. FAST uses Protected Access Credentials(PAC). It is like a secure cookie stored locally to prove it is authenticated.
FAST configure authentication method list to process in order: authentication order[dot1x][mab][webauth]

EAP-TTLS supports eduroam.org initiative, allowing "federated college students" ability to roam between sites.
Setup is simpler ability to resume sessions with TLS tunneling are enhanced.

Tunnel EAP(TEAP) is a combined effort of key vendors to combine all benefits of into a single tunnel method such as EAP chaining, cert provisioning, management & channel binding.

EAP chaining:
So you want to use multiple devices in a single session?
Multiple credentials can be authenticated in a single EAP transaction wit EAP Chaining. EAP chaining can be done with Cisco AnyConnect NAM(Network Access Manager) & pushed out manually with EAP-FAST, or in Windows 10 natively with TEAP.

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0